
NASA Engineering and Safety Center 

Technical Assessment Report 

Version: 

1.0 

Title: 

National Highway Traffic Safety Administration 

Toyota Unintended Acceleration Investigation - 
Appendix D 

Page #: 

1 of 7 


Appendix D. Summary of Test Scenarios 


Technical Support to the National Highway Traffic 
Safety Administration (NHTSA) on the Reported 
Toyota Motor Corporation (TMC) Unintended 
Acceleration (UA) Investigation 


January 18, 2011 


NESC Assessment #: TI-10-00618 







NASA Engineering and Safety Center 

Technical Assessment Report 

Version: 

1.0 

Title: 

National Highway Traffic Safety Administration 

Toyota Unintended Acceleration Investigation - 
Appendix D 

Page #: 

2 of 7 


This Appendix documents the test scenarios completed by NASA for the National 
Highway Traffic Safety Administration (NHTSA) Toyota Sudden Acceleration Study. 



Figure D-l. Assessment Approach 

Figure D-l illustrates the flow the NESC followed in assessing potential design and 
implementation vulnerabilities in the TMC ETCS-i system that could possibly cause a 
UA. Exploratory analysis and testing looked at interactions of operational sequences and 
events along with one or multiple failure conditions. A significant amount of testing was 
completed to understand how the ETCS-i operates and what fail-safes exist. Once this 
“testing for understanding” was completed, more formal testing of test scenarios of 
operational sequences, and failure conditions was completed. For the purposes of this 
study, functional failures such as open circuit signal lines, short to ground, high 
resistance, shorts between signals and short to source voltage as well as potential design 
vulnerabilities in fault detection and mitigation were the primary focus. Monitoring of 
actual responses inside the ECM hardware was not possible; however, the software 
model and ASIC block diagrams did give a level of insight into system function. Model 
responses were compared to the hardware external responses. Likewise, potential faults 
related to timing margins were beyond the scope of this effort. Test scenarios were run 
on a range of vehicles to encompass major changes such as the potentiometer versus Hall 
Effect sensor changes and ECM evolution. 

Test scenarios were developed based on analysis of software and hardware 
documentation. Table D-l is a list of test scenarios, multiple individual tests grouped into 
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themes, performed in the course of this study. Multiple tests were run for each Scenario 
with different failure conditions and on either a simulator or vehicle(s). Vehicle tests 
were performed at PARK or in idle, at speed or at both conditions. As noted earlier, 
testing was both for understanding and confirmation and the table indicates which were 
done for each scenario. Test for confirmation were more formal tests and included more 
thorough documentation than the tests for understanding. 
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Table D-l. List of Test Scenarios and Conditions 


Function 

Scenario Title 

Objective 

Type of Test (Understanding or 
Confirmation) 

Failure Condition 

Test System/Condition (Simulator or 
Vehicle- PARK or at Speed) 

Throttle 

Map the ECU response to throttle 
sensor inputs 

Map ECU DTC response to throttle sensor signal range 
failures. Determine if there are dead zones and if they can 
be exploited an to force unintended acceleration 

Understanding 

Mapping 

Simulator 

Vehicle - PARK/Idle 

Throttle 

Evaluate computer response to 
failures in the throttle sensors 

Determine if series resistance in throttle sensor power, 
signal line (e.g. high resistance connector contact), or both 
together can result in erroneous throttle signals that cause 
the computer to open the throttle. Address the theory 
proposed by Rajkumar that a valid voltage bias on the 
throttle sensor signals might trick the feedback loop into 
opening the throttle further. Also, test for learning effects 
of sensor signal failures on the Idle Speed Control (ISC) 
system. 

Understanding & Confirmation 

Insert series resistance and noisy 
or failing resistance in the Vc 
(+5 V) supply line, sensor 
ground (5 Volt return) line, 
sensor output 

Simulator 

Vehicle - PARK/idle, at Speed 

Throttle 

Evaluate throttle response to noise 
(AC, spikes, and DC variation) on the 
ECU power supply input (+12 volts) 
and/or output (+5 volts) 

Determine if the ECU power supply is susceptible to 
noise. 

Understanding 

Conducted Susceptibility (CS) 
testing 

Vehicle - PARK/idle, at Speed 

Throttle 

Evaluate throttle response to AC noise 
into the throttle sensor signal 
feedback loop on the PID controller 

Determine if PID controller signal loop is sensitive to AC 
noise 

Understanding 

Phase/gain test set to produce 

Bode plot for the throttle control 
loop. AC sinusoidal variation to 
the VTA1 signal only, VTA2 
signal only and VTA1 & VTA2 
together and VPA1 signal only, 
VPA2 signal only, VPA2 signal 
only, and VPA1 & VPA2 signal 
together. 

Simulator 

Throttle 

Evaluate motor/bridge failure 
detection logic (includes the motor, 
H-Bridge or Motor ASIC) 

Test the effect of anomalous throttle motor drive on the 
electronic throttle system. Also investigate possibilities 
of throttle motor latch-up. 

Understanding & Confirmation 

Force the vehicle throttle to open 
using the simulator and the 
power (M+) line 

Simulator 

Vehicle - PARK/idle 
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Function 

Scenario Title 

Objective 

Type of Test (Understanding or 
Confirmation) 

Failure Condition 

Test System/Condition (Simulator or 
Vehicle- PARK or at Speed) 

Throttle 

Evaluate effects of throttle angle on 
vehicle acceleration? 

Collect data to measure the effect that throttle opening has 
on acceleration 

Understanding 

Release brake at throttle 3, 5, 10, 

& 18 % opening conditions & 
step throttle to 3, 5, 10, & 18% 
throttle opening at 30 mph 

Vehicle - Idle & 30 mph 

Throttle 

Throttle angle air flow test 

Understand air flow from different engine conditions 

Understanding 

Measure mass airflow at 
different engine conditions 

Vehicle -Park and from 0 to ~60mph 

Pedal 

Map the ECU response to the pedal 
sensor inputs 

Map engine ECU DTC response to pedal sensor signal 
range failures. Verify dead zones where faults may not be 
detected per software model results 

Understanding 

Mapping 

Simulator 

Vehicle - PARK/Idle 

Pedal 

Evaluate throttle response to failures 
in the pedal sensors 

Determine if anomalies in pedal sensor power, signal line 
or both together can result in erroneous pedal signals that 
cause the computer to open the throttle more than desired 
and test for learning effects of sensor signal failures on 
the Idle Speed Control (ISC) system. 

Understanding & Confirmation 

Step VPA1 signal from 0 to 5 
volts in increments while the 

VPA2 signal is normal idle 
VPA1&VPA2 signal fail open 
circuit, short to (with resistance) 
+12 Volts, and short to ground 
Partially paired VPA1 and VPA2 
signal with resistance and with 
added resistance & opens to the 
individual pedal signals 

Simulator 

Vehicle - PARK/idle, at Speed 

Pedal 

Evaluate the pedal to throttle control 
loop stability and transient response 

Test to characterize the pedal to throttle control loop 
phase and gain margin and transient response. 

Understanding 

Use phase/gain test set to inject 
signal across the 100 ohm 
resistor and produce Bode plot 
for the pedal to throttle control 
loop. Also characterize step 
response. 

Simulator 
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Function 

Scenario Title 

Objective 

Type of Test (Understanding or 
Confirmation) 

Failure Condition 

Test System/Condition (Simulator or 
Vehicle- PARK or at Speed) 

Pedal 

Characterization of defective pedal 

Characterize a defective pedal mechanically, electrically 
and its's performance 

Understanding 

Examine the defective pedal to 
determine its failure mode, 
cause, and effects on the vehicle 
under different conditions 

Simulator 

Vehicle - PARK/idle, at Speed 

Idle Speed Control 

Evaluate throttle response to failures 
in electrical load sensors 

Test effect of electrical load switch signal failures on the 
electronic throttle system. 

Understanding 

Fail the sensing signals from the 
Air Conditioning, Headlamp, and 
Radiator Fan electrical load 
on/off signals 

Vehicle - PARK/idle 

Idle Speed Control 

Evaluate throttle response to failures 
in mechanically load sensors 

Test effect of mechanical load switch signal failures on 
the electronic throttle system. 

Understanding & Confirmation 

Fail the sensing signals from the 
engine coolant temperature, 
temperature of air flow, timing, 
Crankshaft and camshaft signals 
(timing, crankshaft & camshaft 
to noise also) 

Vehicle - PARK/idle, at Speed) 

Cruise Control Vehicle 

Evaluate cruise control switch failures 
for increased acceleration 

Test warning signs that switches may get stuck on and/or 
be susceptible to noise inducing unintended set speed 

Understanding & Confirmation 

Fail the signal by short to +12 
Volts, short to Ground, and 
resistive shorts to Ground. 

Vehicle at Speed 

Cruise Control Vehicle 

Evaluate cruise control switch failures 
for increased acceleration 

Test warning signs that switches may get stuck on and/or 
be susceptible to noise inducing unintended set speed 

Understanding & Confirmation 

Fail the switch to set state and 
accelerate, attempt to 
“CANCEL” or “OFF” using the 
Cruise Control switch 

Vehicle at Speed 

Cruise Control Vehicle 

Evaluate the effects of noise 
introduced into the cruise control line 
on unintended increased throttle angle 

Determine if the Cruise Control system is susceptible to 
noise inducing unintended set speed. 

Understanding & Confirmation 

Conducted Susceptibility testing 

Vehicle at Speed 
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Function 

Scenario Title 

Objective 

Type of Test (Understanding or 
Confirmation) 

Failure Condition 

Test System/Condition (Simulator or 
Vehicle- PARK or at Speed) 

Cruise Control Vehicle 

Evaluate brake switch failures effects 
on preventing the cancelling of cruise 
control 

Test effect of failed brake switch and its effect on cruise 
control enable/cancel and determine if DTC is set 

Understanding & Confirmation 

Fail the normally open & closed 
signal, and apply brakes when 
engaged and engaging 
enable/cancel switch. 

Enable Cruise control and 
restrain the brake plunger and 
verify vehicle maintains speed 
when brake is pressed. Press the 
brake as if to cancel the cruise 
control. 

Vehicle at Speed 

Trans-mission Shifting 

Evaluate torque converter lock up on 
speed increase 

Test to determine whether the vehicle reaches a steady 
state under load with a given accelerator position and if it 
continues to demand an increase in throttle 

Understanding & Confirmation 

Dynamometer - 150 ft-lb. load - 
increase speed past torque 
convertor lock-up of ~34 mph 

Vehicle at Speed 

Fuel Cutoff 

Fuel cutoff test 

Evaluate conditions for Fuel Cutoff 

Understanding & Confirmation 

Record conditions that cause 
each of the Fuel Cutoff modes to 
engage and disengage 

Vehicle - PARK/idle, at Speed 

Inspection and evaluation of complaint cars 

Inspection and evaluation of 
complaint cars 

Characterize available suspect vehicles in an attempt to 
replicate the initial complaint, including possible fault 
traces. 

Understanding 

Measure voltages, resistances, 
DTC's and inspect for anomalies 

Vehicle - PARK/idle, at Speed 
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